Skip to content

Denial of Service in hapi

High severity GitHub Reviewed Published Jun 7, 2018 to the GitHub Advisory Database • Updated Jan 9, 2023

Package

npm hapi (npm)

Affected versions

< 11.1.3

Patched versions

11.1.3

Description

Versions of hapi prior to 11.1.3 are affected by a denial of service vulnerability.

The vulnerability is triggered when certain input is passed into the If-Modified-Since or Last-Modified headers.

This causes an 'illegal access' exception to be raised, and instead of sending a HTTP 500 error back to the sender, hapi will continue to hold the socket open until timed out (default node timeout is 2 minutes).

Recommendation

Update to v11.1.3 or later

References

Published to the GitHub Advisory Database Jun 7, 2018
Reviewed Jun 16, 2020
Last updated Jan 9, 2023

Severity

High

EPSS score

0.317%
(71st percentile)

Weaknesses

CVE ID

CVE-2015-9241

GHSA ID

GHSA-rc8h-3fv6-pxv8

Source code

No known source code
Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.